This post outlines the most common forms of advertising fraud we’re seeing of late. Most of these malpractices affect both networks and advertisers when they inadvertently purchase maliciously delivered inventory. Others are common among affiliate programs, or in cases that involve direct, performance-based relationships between advertisers and the partners who deliver traffic.

1. Traffic laundering

Traffic laundering is the practice of making traffic masquerade as something it’s not by masking its true source. It stems from the somewhat understandable desire of some webmasters to not want to reveal their lucrative traffic sources. It has been widely adopted by fraudsters to make investigation difficult. More recently, it has been used to dupe ad exchanges and realtime bidding networks to make traffic seem more valuable than it actually is.

It can be done server-side by repopulating the referrer so it appears to be coming from a different site than the visitor is actually looking at, or through client-side scripting. The latter is typically done using adware — injecting extra elements in a browser is fairly trivial. The former can be used for example to hide the fact that the traffic is being sent from sites that are unacceptable for the advertiser (non-brand safe content) — such traffic is typically cheaper to acquire than mainstream acceptable traffic.

2. Impression generation

Quite often paired with traffic laundering, impression generation is the practice of either using a cheap traffic source to generate more visitors that view the ad in an illegitimate way, or the use of server-side scripting to display ads in invisible iframes or covered under other site elements in otherwise well-visited places. The invisibly delivered ads, if they are paid CPM, are a clear-cut case of fraud. In other cases this is used to give the aura of legitimacy while a different script or pack of users generate click-throughs on the same ad-zone for CPC profit. Sophisticated impression generation schemes involve adware (where real browsing users are served invisble ads) or botnets, who are assigned to view a given site while imitating human behavior.

3. Cookie poisoning

Cookie stuffing, the old practice of affiliate fraud, has found a new home in the display advertising marketplace. The trick is simple: remarketing relies on browser cookies indicating that the given user has visited a site that is running a remarketing campaign in an effort to lure their visitors back to the sites. These clicks are typically more expensive, and a webmaster can employ server-side scripting to open invisible iframes to pages that deploy remarketing cookies for later targeting – thus, no matter who their actual user is, they will be sold to the ad marketplace as users with purchasing intent. Even stray clicks can lead to nice profits in this case — much more so if further ad-clicking schemes are in place.

This trick can get much more sophisticated — and lucrative — with the involvement of a botnet. With a fairly simple set of commands, a fraudster can sell off their inventory as premium users who not only cruise sites with purchasing intent, but also read the New York Times for example — because they send the network to collect the cookies of these sites before having them come and click on the ads.

4. URL hijacking

This is a lesser known but nonetheless lucrative scheme, where the impression laundering method is paired up with an arbitrage opportunity. Typically affecting merchants with affiliate programs, a fraudulent webmaster may bid on their brand name in Google Adwords, launder the referring domain and collect affiliate commissions. Company TOS’s differ on the subject, and the practice adds no value to the customer acquisition channel — the webmasters simply insert themselves between the customer and the merchant page.

This can also be done through certain CPV networks that are more commonly known as adware traffic. In this case the tracking cookie would be delivered straight on the merchant’s buy page. With botnets to boot, the scheme can become immensely lucrative. Such was the case of DNSChanger.

Control of the client’s browser through adware or trojans can lead to even more sophisticated forms of URL hijacking. Fraudsters can replace the ad zones of popular sites with their own, denying the appropriate attribution for a given ad impression or click.

These are the most typical elements of ad fraud we have been seeing — of course, a sophisticated attacker will always combine at least some aspects of the above to throw investigators off track. In the cases of massive inventory, it’s sometimes enough to make the traffic delivery practice look complicated but feasible to deter managers from probing further into the matter.

Manual investigation is hindered by time and resource constraints. In cases where decision makers feel that the numbers don’t add up, we advise to employ dedicated tools that help investigators get to the bottom of the issue. We offer an automated detection system to highlight potential abuse by publishers and affiliates that are practicing any of the above. You can apply to our free antifraud audit to get a transparency report filtering fraudulent activities.